Cyber Resilience

CVE-2025-0498

High

Published: 30 January 2025

Published
30 January 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 34.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0498 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rockwellautomation Factorytalk Assetcentre. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-0498 is a data exposure vulnerability affecting all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The issue arises from insecure storage of FactoryTalk® Security user tokens (CWE-522), which could allow a threat actor to steal a token and impersonate another user. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-30.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected system, requiring low complexity and no user interaction. Successful exploitation enables token theft, allowing the attacker to impersonate legitimate users and achieve high impacts on confidentiality, integrity, and availability.

Mitigation details are provided in the Rockwell Automation security advisory at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1721.html.

EU & UK References

Vulnerability details

A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate…

more

another user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Insecure token storage (CWE-522) directly enables credential theft (T1552/T1528) and impersonation with valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0477Same product: Rockwellautomation Factorytalk Assetcentre
CVE-2025-0497Same product: Rockwellautomation Factorytalk Assetcentre
CVE-2025-7972Same vendor: Rockwellautomation
CVE-2025-9278Same vendor: Rockwellautomation
CVE-2025-9279Same vendor: Rockwellautomation
CVE-2025-9064Same vendor: Rockwellautomation
CVE-2025-9464Same vendor: Rockwellautomation
CVE-2025-9280Same vendor: Rockwellautomation
CVE-2025-9161Same vendor: Rockwellautomation
CVE-2025-9465Same vendor: Rockwellautomation

Affected Assets

rockwellautomation
factorytalk assetcentre
≤ 15.00.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protecting user token authenticator content from unauthorized disclosure and modification, addressing the core insecure storage issue in FactoryTalk AssetCentre.

prevent

Mandates confidentiality protections such as encryption for information at rest, preventing theft of insecurely stored FactoryTalk Security user tokens.

prevent

Enforces approved authorizations for access to system resources including token storage locations, blocking unauthorized network-accessible reads that enable token theft and user impersonation.

References